Port Knocking applied to websites
If you're unfamiliar with Porting Knocking, it's a simple concept that can add a layer of security to your server. If you run a linux server that's accessible on the Internet you'll see your logs fill up with bots trying to brute force the passwords. Changing the default port helps but still leaves you open to port scans. Fail2Ban, a script which monitors login failures and adds firewall rules to block people who have failed to login too many times also helps. Finally configuring static firewall rules so that only a few select IPs can access the site in the first place helps too. So back to Port Knocking. The technique works by not exposing the ssh port but listening for random packets arriving at the host. The host silently monitors what, to the outside world, looks like closed ports but when the correct secret combination has been entered, the ssh port is unlocked for that IP address. What this security by obscurity gives you is protection against zero day, or unpatched exploits against the server in the case that the login screen can be bypassed or other mechanical flaws where the server can be compromised.
I've written a module for nginx that takes the concept of "Port Knocking" and applies it to websites. When you visit a configured nginx website, it returns a 404 "page not found" error. However if you go to secret urls, even though they all, on the service appear to return 404, you are secretly handshaking with nginx. After you've hit the magic combination you ip is logged server side, and you're allowed to the visit the site (that is, it returns content instead of 404). The benefits include:
- private websites
- protect login pages against bots and scripts
- protect against zero day exploits
- protect against known exploits if you're slow to patch the site.
Check out a video demonstration I made here
Writing the code was a lot of fun. The code and more information is available on git repo here